I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:
Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.
Can I show my user information without asking the users to Authenticate themselves?
Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...
These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?
Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.
I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.
If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye
If I recap:
you don't want to share your app access token (good!),
you don't want your users to authenticate.
Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:
do the API calls from a server using server-side code (i.e. Node.js),
save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).
About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:
Add your token to an environment variable which you can set just before launching the app (don't forget to mention that in your README),
Add your token to a file:
Create a credentials.js file that contains an empty token:
// Please use your own token
var APP_TOKEN = '';
Commit the file to Github,
Have a .gitignore file that contains the credentials.js,
var APP_TOKEN = 'now-you-can-put-your-token-here';
Good luck with your project, it looks exciting :-)
Related
I am building an app using HTML, CSS, and Javascript, and am trying to configure OAuth to use it to access data from the Goodreads API. I basically want to get a list of books that a Goodreads member has read in the current year and display statistics about the metadata of these books. I'm pretty new to Javascript and using API's and don't have a super good grasp on OAuth and API authentication in general so I would really appreciate it if it could be explained as simply as possible.
From what I understand I need to create a login button on my page that contains a link that looks something like this:
http://www.goodreads.com/oauth/authorize?oauth_token=SCDMymQWcIE8GnxmSA
When the user clicks this button they'll visit goodreads.com where they'll login to their account. After accepting the permissions, the user will be redirected to back to your site along with an access token that would contain the user's ID. At this point I would use the user ID to pull data about the books on their shelves.
I'm not really sure how to go about writing this in my Javascript file though. How do I go about authorizing via OAuth and storing the user's ID? From the Goodreads Developers group it seems like the Goodreads API uses OAuth 1.0 which I believe is relevant to how I will need to approach this.
I'm building a web application that allows a specific user to upload videos to a YouTube account through the use of the YouTube API. The uploading of videos will be done by only one person & videos will be uploaded only to one account. If the YouTube account is already authorized by the app to manage the channel etc, how can I setup the application in such a way that the user bypasses the authentication/login screen every time he/she needs to upload a video? (That is when the user exits and re-enters application.)
While reading, a solution I stumbled upon a solution which was to use a refresh token but I don't know how to integrate it with the code I have currently. The code I'm using is the one available on the Google Developers site, link below.
https://developers.google.com/youtube/v3/code_samples/javascript#upload-a-video
Please note that I've gone through & read all similar questions on this forum but none provides Javascript help/solution.
Normally i would say that you should use a service account which would allow you to preauthorize the access to YouTube. However the YouTube API does not support service accounts so your going to have to do it the hard way.
You will need to authenticate your application once and save the refresh token. Then you will be able to use the refresh token again later to get a new access token. You will have to watch this application refresh tokens can expire its rare but it can happen so you should have something set up that will allow you to quickly reauthenticate it and save a new refresh token.
To my knowledge it is not possible to get a refresh token with JavaScript your going to have to use a server sided language like node.js for example. This tutorial should show you how to get offline access with node js. Node.js Quickstart
A few web-based applications I maintain have been using JavaScript on the page to fetch posts from Instagram* through their API, only authenticating with a client_id. With the Instagram API changes recently (applications are sandboxed until approved) this no longer works.
Is this kind of application allowed by Instagram? Or is it considered a security risk to expose the client_id in the Javascript that performs the request? If it matters, the application is for internal use by a few employees only.
* Specifically, the 10 last posts from a fixed user.
All instagram API endpoints now require a valid access_token rather than client_id. The search endpoint is an example of one that didn't previously require an access_token. You can find this in the Change logs
All API endpoints require a valid access_token
All API endpoints require a specific permission scope granted by the user
You can authorise your own account and grab the last 20 posts, but for any more than that you will need to submit your app for review
Try to create a new app.. My app was deleted instead of going to sandbox mode.
As you need 10 last posts, this should work on sandbox mode.
Content Display for Personal Website. If you are a developer and you want to showcase Instagram content on a website, then you do not need to submit your app for review. By using a client in sandbox mode, you will still be able to access the last 20 media of any sandbox user that grants you permission.
I'm trying to create a Javascript application that has a filterable listing of certain kinds of public Facebook events. The thing is, the FB Graph API requires that you provide a User Access token in order to use the search for public events. I really don't want to make people log in to facebook in order to use the website, especially because ANY facebook user's credentials are sufficient to query the events I want to query (ie the search is independent of any user credentials, I just need them because the fb api requires me to have a user access token.)
Do y'all have any suggestions for a work around? I'm thinking about providing my own credentials securely, and just using them to make the actual queries. The thing is I would potentially need to be doing A LOT of queries per minute, so this might not be terribly realistic. Any suggestions would be helpful.
Simply do this server-side not client-side.
You just need an app token (no user token) to do this search, but using this client-side is a bad idea since it would expose your app token publicly.
First of all, I'm not sure whether this is a Dropbox API or an OAuth question, but maybe some of you can give me some insight of my problem.
I'll explain my scenario.
My application is written in Javascript, and its purpose is to run seamlessly on a screen (fullscreen/browser), fetching some pictures of my account and "slideshowing" them. Nothing too difficult at a first glance. I've managed to authorize my application, store the access token and secret on localstorage for later use. It is working so far.
However, this application will run on lots of screens. This means that on each first run of the app I must be there to enter me credentials in order for that particular application instance to have access to the API. Well, this isn't possible.
After the first run, and after my interaction by entering the credentials, the application would get an access token and then would be able to access the API.
Hard-coding the access token in all instances is possible, but I'm sure this isn't recommended as it poses some threat to my own account.
How can I give authentication to my every application instance (screen) without requiring the owner to interact once for each instance?
Am I missing something?
Thank you.